Skip to content

build(deps): bump js-toml from 1.0.2 to 1.2.1#1007

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/js-toml-1.2.1
Open

build(deps): bump js-toml from 1.0.2 to 1.2.1#1007
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/js-toml-1.2.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps js-toml from 1.0.2 to 1.2.1.

Release notes

Sourced from js-toml's releases.

v1.1.2

Security

  • Fix silent acceptance of duplicate keys whose prior value is a falsy primitive (GHSA-m34p-749j-x6m6, CWE-697).

    The interpreter checked whether a key already existed with a truthy test (if (object[key])) instead of key in object. When the prior value was a falsy primitive — false, 0, 0.0, -0.0, nan, or "" — the duplicate-key branch was skipped and the value was silently overwritten by a later table, dotted-key sub-table, or array-of-tables of the same name, instead of raising a parse error as the TOML 1.0.0 spec requires. A boolean false could thus surface as a truthy object in the parsed result.

    All users on 1.1.1 or earlier are affected and should upgrade to 1.1.2.

    Reported by @​CosmicCrusader23 — thank you.

Fixed

  • Reject array-of-tables headers ([[a.b]]) that descend into a statically-defined array. getOrCreateArray lacked the immutability guard that createTable already had, so such input either threw an uncaught TypeError or silently mutated the static array instead of raising SyntaxParseError.

Full changelog: sunnyadn/js-toml@v1.1.1...v1.1.2

v1.1.1

Security

  • Fix CPU exhaustion via O(n²) BigInt construction on radix-prefixed integer literals (GHSA-wp3c-266w-4qfq, CWE-400, CWE-407).

    The 0x / 0o / 0b integer parser previously used a hand-written BigInt accumulator loop that ran in O(n²) in the literal length, allowing a single attacker-supplied ~500 kB radix literal to block the Node.js event loop for tens of seconds. The fix switches to the V8 native BigInt(prefixedString) constructor (O(n)) and caps radix-prefixed literals at 1000 digits, matching jackson-core's StreamReadConstraints.maxNumberLength default.

    All users on 1.1.0 or earlier are affected and should upgrade to 1.1.1.

    Reported and patched by @​tonghuaroot — thank you.

Full changelog: sunnyadn/js-toml@v1.1.0...v1.1.1

v1.1.0

What's New

  • TOML serialization: New dump() function to convert JavaScript objects to TOML strings
  • Security: Resolved all Dependabot alerts by upgrading chevrotain (11→12), vitest, and transitive dependencies

Bug Fixes

  • Fix silent error swallowing in tryCreateKey (non-DuplicateKeyError exceptions were silently dropped)
  • Fix tokenInterpreters Map misuse (declared as Map but used as plain object)
  • Remove dead/broken octal escape code path in string unescaping

Internal

  • Add createCategoryToken helper to reduce token registration boilerplate
  • Simplify hasRenderableHeader logic in TOML generator
  • Upgrade chevrotain 11→12 (drops lodash-es dependency)
  • Upgrade vitest/coverage-v8 to 4.1.4

v1.0.3

... (truncated)

Changelog

Sourced from js-toml's changelog.

[1.2.1] - 2026-07-08

Fixed

  • Dates with years below 100 (e.g. 0001-01-01T00:00:00Z) were rejected or mis-parsed via JavaScript's legacy Date year mapping; they now parse correctly.
  • Out-of-range UTC offsets (+25:00, +12:60) were accepted; they are now rejected per RFC 3339.
  • Duplicate super-table headers ([a.b] then [a] twice) were accepted; redefinition is now an error per the spec.

Changed

  • The vendored toml-test suite is upgraded to the official v2.2.0 TOML-1.1.0-gated set (332 → 681 cases, zero exclusions).

[1.2.0] - 2026-07-08

Added

  • TOML v1.1.0 support, enabled by default (spec changelog):
    • toml-lang/toml#904= or a dotted-key .), exactly as the spec ABNF requires.
    • \xHHtoml-lang/toml#796
    • \etoml-lang/toml#790
    • toml-lang/toml#894:00 (13:37 loads as "13:37:00"). Fractional seconds still require whole seconds per the spec ABNF.

Changed

  • Documents that were syntax errors under TOML 1.0.0 but are valid TOML 1.1.0 (see above) now parse successfully instead of throwing SyntaxParseError. Every valid TOML 1.0.0 document parses exactly as before.
  • dump() intentionally keeps emitting TOML v1.0.0-compatible output (single-line inline tables, no trailing commas, \uXXXX escapes, full-precision datetimes) so generated documents remain readable by 1.0-only parsers.

[1.1.3] - 2026-06-30

Security

  • Fix uncontrolled recursion that let deeply nested input (arrays / inline tables) or a long dotted key drive load() past the V8 call stack and throw an uncaught RangeError, violating the documented SyntaxParseError contract and enabling a denial-of-service in services that parse untrusted TOML (GHSA-3g82-77xr-68x5, CWE-674). Neither the recursive-descent parser nor the tree-walking interpreter bounded nesting depth. load() now enforces a configurable maximum depth (load(toml, { maxDepth }), default 100), rejecting over-deep input as SyntaxParseError, with a top-level backstop that converts any residual native stack overflow into SyntaxParseError as well. Reported by @​kaimandalic.

Added

  • LoadOptions with a maxDepth option for load(), and an exported DEFAULT_MAX_DEPTH constant.

[1.1.2] - 2026-05-28

Security

  • Fix silent acceptance of duplicate keys whose prior value is a falsy primitive (false, 0, 0.0, -0.0, nan, "") (GHSA-m34p-749j-x6m6, CWE-697). The interpreter used a truthy existence check (if (object[key])) instead of key in object, so a later table, dotted-key sub-table, or array-of-tables sharing the same name silently overwrote the falsy value instead of raising a duplicate-key error. Reported by @​CosmicCrusader23.

Fixed

  • Reject array-of-tables headers ([[a.b]]) that descend into a statically-defined array. getOrCreateArray lacked the immutability guard that createTable had, so such input either threw an uncaught TypeError or silently mutated the static array instead of raising SyntaxParseError.

[1.1.1] - 2026-05-25

Security

... (truncated)

Commits
  • 0e30a87 chore: release v1.2.1
  • 09d9e59 Merge pull request #7 from sunnyadn/chore/toml-test-revendor
  • dd3804a fix(test): path-separator-agnostic encoding-case guard for Windows
  • 781ece3 chore: re-vendor toml-test v2.2.0 (TOML 1.1 gated set) and fix three conforma...
  • 75d7ef0 chore: release v1.2.0
  • b0a5ac5 Merge pull request #6 from sunnyadn/feat/toml-1.1
  • c45fb59 feat: TOML 1.1 support — multi-line inline tables, \xHH and \e escapes, optio...
  • 5f68239 chore: bump dev deps to fix Dependabot alerts (vite, esbuild)
  • 8b6ae4a chore: record journal
  • ad1b3ed refactor: consolidate depth-limit check into key() and simplify token type
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [js-toml](https://github.com/sunnyadn/js-toml) from 1.0.2 to 1.2.1.
- [Release notes](https://github.com/sunnyadn/js-toml/releases)
- [Changelog](https://github.com/sunnyadn/js-toml/blob/main/CHANGELOG.md)
- [Commits](sunnyadn/js-toml@v1.0.2...v1.2.1)

---
updated-dependencies:
- dependency-name: js-toml
  dependency-version: 1.2.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 13, 2026
@codecov

codecov Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (d676dee) to head (ec3a8e1).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files
@@          Coverage Diff           @@
##           master   #1007   +/-   ##
======================================
  Coverage    0.00%   0.00%           
======================================
  Files           3       3           
  Lines          24      24           
======================================
  Misses         24      24           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants